search

Foxboron / ssh-tpm-agent

:computer: :key: ssh-agent for TPMs
MIT License
354 stars 20 forks source link

0.3.0: default key length not valid #42

Closed grawity closed 8 months ago

grawity commented 8 months ago

Docs say that ECDSA P-256 is the default if neither -t nor -b is not specified, but that doesn't seem to be the case:

$ ssh-tpm-keygen
2024/02/26 11:12:10 invalid ecdsa key length: TPM does not support 0 bits

$ ssh-tpm-keygen -t ecdsa
2024/02/26 11:16:39 invalid ecdsa key length: TPM does not support 0 bits

Specifying -t rsa without -b seems to correctly generate a 2048-bit RSA key.

FLX-0x00 commented 8 months ago

same on my end. specifying the -b parameter works

❯ ssh-tpm-keygen
2024/02/27 18:34:59 invalid ecdsa key length: TPM does not support 0 bits
❯ ssh-tpm-keygen -b 256
Generating a sealed public/private ecdsa key pair.
Enter file in which to save the key (/home/XXXX/.ssh/id_ecdsa):
FLX-0x00 commented 8 months ago

Maybe a small upgrade guide should be placed in the release notes for users who has already used the other keys =) for me works removing the .tpm file, reimport with ssh-tpm-keygen --import id_ecdsa -b 256

Foxboron commented 8 months ago

@FLX-0x00 Lol, what? Does that actually work?

FLX-0x00 commented 8 months ago

Yes. was wondering what if i specify my own key leng....yep. works. maybe there is also something wrong with the parser. =) happy to help

FLX-0x00 commented 8 months ago

Because the error was the same in the import i tried it out with -b and now I can use ssh again =) I converted all my ssh stuff to this tool, so I was really in a rush to get this running again :D

Foxboron commented 8 months ago

That shouldn't work. The --import code literally parses the secret parts of the key out of an existing ssh formatted private key.

I suspect you are accidentally importing your old id_ecdsa key.

FLX-0x00 commented 8 months ago 
.rw-r--r--   505 xxx  xxx   27 Feb 18:56  id_ecdsa
❯ file id_ecdsa
id_ecdsa: OpenSSH private key

❯ ssh-tpm-keygen --import id_ecdsa
2024/02/27 18:56:05 invalid ecdsa key length: TPM does not support 0 bits
❯ ssh-tpm-keygen --import id_ecdsa -b 256
Sealing an existing public/private ecdsa key pair.
FLX-0x00 commented 8 months ago

I added my "old" key again yes. The key is ecdsa-sha2-nistp256

FLX-0x00 commented 8 months ago

That shouldn't work. The --import code literally parses the secret parts of the key out of an existing ssh formatted private key.

I suspect you are accidentally importing your old id_ecdsa key.

Of course I have made a backup before sealing the key with the .tpm extension. So I removed the old .tpm file, and imported my backup key again. now the "new" sealed key works with the agent. Was it wrong?

Foxboron commented 8 months ago

Of course I have made a backup before sealing the key with the .tpm extension. So I removed the old .tpm file, and imported my backup key again. now the "new" sealed key works with the agent. Was it wrong?

No it only confused me how you where re-importing the key. But all good.

FLX-0x00 commented 8 months ago

Hard to hear from the owner of the repo but hey, if you need anything that helps on debugging this stuff just hit me here. I will provide everything except the armored output of my private key ;)